Comments on: The ChoicePoint Settlement http://www.concurringopinions.com/archives/2006/01/the_choicepoint_1.html The Law, the Universe, and Everything Sun, 22 Nov 2009 15:33:39 -0700 http://wordpress.org/?v=2.8.3 hourly 1 By: Bruce http://www.concurringopinions.com/archives/2006/01/the_choicepoint_1.html/comment-page-1#comment-60582 Bruce Mon, 30 Jan 2006 23:17:18 +0000 http://www.solove.org/archives/2006/01/the-choicepoint-settlement.html#comment-60582 I don't agree with the conclusion that an exception for breaches that do not produce "a significant risk of identity theft" means that no breaches will be reported. That language is pretty mushy, and assuming more than minimal enforcement (which seems a safe assumption at the moment with the FTC), a subjective internal assessment of insignificant risk does not seem like a comfortable safe harbor for businesses attempting to avoid the PR and regulatory hit of having a complaint filed against them. On the plus side, it means that consumers won't get flooded with notices every time a backup tape in a proprietary format gets logged in wrong at the warehouse. I don’t agree with the conclusion that an exception for breaches that do not produce “a significant risk of identity theft” means that no breaches will be reported. That language is pretty mushy, and assuming more than minimal enforcement (which seems a safe assumption at the moment with the FTC), a subjective internal assessment of insignificant risk does not seem like a comfortable safe harbor for businesses attempting to avoid the PR and regulatory hit of having a complaint filed against them. On the plus side, it means that consumers won’t get flooded with notices every time a backup tape in a proprietary format gets logged in wrong at the warehouse.

]]> By: Gary Moore http://www.concurringopinions.com/archives/2006/01/the_choicepoint_1.html/comment-page-1#comment-60581 Gary Moore Mon, 30 Jan 2006 15:26:14 +0000 http://www.solove.org/archives/2006/01/the-choicepoint-settlement.html#comment-60581 Daniel, Great article. And you are exactly correct in stating the following about the proposed bill "With most of the security breaches that were announced in 2005, the companies insisted that the risk of identity theft was minimal to non-existent. So it would seem that with this provision, hardly any companies would make the disclosure. If a company decides that it must disclose, then it is also conceding that there is a "significant risk" of identity theft from its breach. Few companies will want to make such a concession, as it will create a public relations nightmare" I have evidence to back that up. Back in 2002, Information Week had a survey of over 3400 companies. In that survey, almost 50% of the companies surveyed do not report an security incident with anyone. This includes partners, customers, legal counsel, the CERT advisory group and government authorities. In fact barely 20% of these companies contact legal counsel and less than 20% have contacted the government. If that proposed bill passes, it will preempt stronger state lawas and companies will be less inclined to report security breaches. Daniel,

Great article. And you are exactly correct in stating the following about the proposed bill

“With most of the security breaches that were announced in 2005, the companies insisted that the risk of identity theft was minimal to non-existent. So it would seem that with this provision, hardly any companies would make the disclosure. If a company decides that it must disclose, then it is also conceding that there is a “significant risk” of identity theft from its breach. Few companies will want to make such a concession, as it will create a public relations nightmare”

I have evidence to back that up. Back in 2002, Information Week had a survey of over 3400 companies. In that survey, almost 50% of the companies surveyed do not report an security incident with anyone. This includes partners, customers, legal counsel, the CERT advisory group and government authorities. In fact barely 20% of these companies contact legal counsel and less than 20% have contacted the government.

If that proposed bill passes, it will preempt stronger state lawas and companies will be less inclined to report security breaches.

]]>